Firewall Wizards mailing list archives
Re: Evolution of Firewalls
From: ArkanoiD <ark () eltex ru>
Date: Tue, 9 Mar 2004 12:24:33 +0300
nuqneH, There is major difference: proxy does analysis and reconstructs data stream from analysed data, and stateful ispection system can only decide to let it pass or no. The impact is obvious: it is much more likely for stateful inspection system to miss thing that is not known to it or to exploit a bug when inspection system parses data differently from the communication endpoint. The proxy output stream, not only general verdict, depends on parsing results. YMMV and it is implementation dependant; a bad proxy may implement protocol without proper detalization and a good stateful inspection engine may behave better, but proxy technology in general is clearly superior for real world. On Mon, Mar 08, 2004 at 02:37:02PM -0500, Dave Piscitello wrote:
Stateful inspection, deep packet inspection, application protection, application intelligence, application aware ... Lots of names for the same security functionality: examining application headers and application data streams for attacks and blocking them. You can and some vendors still do this using proxy architecture, while some use the same stateful packet inspecting methods they used to examine network protocol headers. The most secure firewall? Probably has less to do with proxy vs. stateful inspection than policy, implementation/configuration, and the admin at the policy console. At 08:48 PM 3/7/2004 -0500, Frederick M Avolio wrote:At 11:56 PM 3/4/2004 +0800, skpoo () pacific net sg wrote:... Our team is currently debating if Stateful Deep Inspection firewall is going be the new technology to replace the Application Proxies firewall which deem to be most secure currently. ...At the risk of being obvious -- or worse, being called a dinosaur :-), It depends. Do you care more about usability or security? When push comes to shove is it more important to never stop a connection at the risk of the possibility of something bad slipping through? It really is as simple as that. I tell people in one of my classes, you hear about it if you misconfigure your firewall to reject a required action, but will rarely hear about if if you allow too much through. (I stated it as "You always hear about conservative errors but rarely about liberal ones," but that could be taken wrong now-a-days.) Fred _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Evolution of Firewalls skpoo (Mar 07)
- <Possible follow-ups>
- Re: Evolution of Firewalls Frederick M Avolio (Mar 07)
- Re: Evolution of Firewalls Dave Piscitello (Mar 08)
- Re: Evolution of Firewalls Frederick M Avolio (Mar 08)
- Re: Evolution of Firewalls Dave Piscitello (Mar 09)
- Re: Evolution of Firewalls Frederick M Avolio (Mar 09)
- Re: Evolution of Firewalls Christian Kreibich (Mar 11)
- Re: Evolution of Firewalls Dave Piscitello (Mar 08)
- Re: Evolution of Firewalls ArkanoiD (Mar 09)
- Re: Evolution of Firewalls Patrick M. Hausen (Mar 11)
- Re: Evolution of Firewalls Mikael Olsson (Mar 11)
- Message not available
- Re: Evolution of Firewalls ArkanoiD (Mar 11)
- vpn end-point Shimon Silberschlag (Mar 18)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 09)
- Re: Evolution of Firewalls Devdas Bhagat (Mar 11)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 12)
- Re: Evolution of Firewalls ArkanoiD (Mar 18)